You Can't Always Get What You Want: How Will Law Enforcement Get What it Needs in a Post-CALEA, Cybersecurity-Centric Encryption Era?

May 30, 2016

In recent years, many technology companies have enabled encryption by default in their products, thereby burdening law enforcement efforts to intercept communications content or access data stored on smartphones by traditional means. Even before such encryption technologies were widely used, however, the Federal Bureau of Investigation (“FBI”) claimed its surveillance capabilities were “Going Dark” due to the adoption by consumers of new IP-based communication technologies, many of which are not subject to any surveillance-enabling obligations under the Communications Assistance for Law Enforcement Act (“CALEA”). The heightened tension produced by the introduction of encryption by default into an environment where terrorism has magnified the need for efficient law enforcement access (surveillance) supported by a newly-expanded CALEA framework is often framed as a contest between privacy and security. It is, however, more accurately framed as a security issue on both sides, one side which integrates traditional privacy concerns with the growing focus upon cybersecurity equities (the “cybersecurity” argument) into a critique of a second regime of “exceptional access” posited by law enforcement to sustain its access advantages either: (1) by mandating that manufacturers insert “backdoors” into applications, devices and communications networks; or (2) by forcing companies, after-the-fact, to circumvent and undermine security features they purposefully build into their products and services. The cybersecurity and, incidentally, pro-privacy position rejects exceptional access as a dangerous fiction that would, among other things, create new attack surfaces, rendering networks more vulnerable to every form of predation, from financial crime and IP theft to cyber espionage, ultimately generating unacceptable risks to our national and economic security. The reconciliation of these competing visions of security—of law enforcement’s traditional public safety mission with cybersecurity—will require law enforcement to employ investigative techniques that may include, among other things, enhanced collection and exploitation of metadata, which is not generally thwarted by the use of encryption technology. Although many sources and forms of metadata are already available to law enforcement, the widespread adoption of Internet of Things (“IoT”) technology will generate additional forms of metadata, potentially revealing sensitive information that would have been difficult for the government to obtain in the past. Moreover, many IoT devices include microphones and cameras that could be used to eavesdrop remotely on targets, whether through direct hacking or through law enforcement’s power to compel third parties to facilitate such eavesdropping, thereby potentially mitigating surveillance losses due to a target’s use of encrypted communications.
This Article asserts that, for better or worse, law enforcement has entered a new post-CALEA, cybersecurity-centric investigative era where the use of encryption and other security-enhancing technologies is an irreversible fact and where getting a warrant or court order will not, in and of itself, guarantee law enforcement access to communications data. In this new surveillance era, law enforcement will more often find itself forced to employ individualized “collection” solutions for specific investigations, rather than enjoy the ready-made access provided by a CALEA like regime. That is, law enforcement will need, among other things, to target end-point devices, such as phones, computers and IoT devices, rather than the surveillance mechanisms mandated by a CALEA-like regime. As law enforcement seeks to employ old and new kinds of investigative techniques that involve neither designing access points into communications networks nor mandating circumvention of security features in mobile devices—policy choices necessary to support fundamental imperatives of cybersecurity—policy makers will be forced to consider how to facilitate, regulate, and oversee these law enforcement capabilities and activities, balancing what law enforcement may need against the social benefits of transparency and electronic privacy. The current debate over law enforcement exceptional access is more consistently divisive than not and, for the most part, not focused on how to get law enforcement what it needs without undermining fundamental principles of cybersecurity. A new dialogue on how to get law enforcement what it actually needs in a Post-CALEA, default-encryption era would be a much-needed step forward. That journey forward, however, will require a return to some of the historical debates about metadata collection and standards governing law enforcement access to various kinds of new revelatory metadata, such as that generated through the ever expanding IoT. Moreover, this journey will raise new legal, ethical, and policy questions about when and if law enforcement should be permitted to use IoT apertures for seeing and hearing activities inside the home.